Presentation is loading. Please wait.

Presentation is loading. Please wait.

Masaryk U. – related research, interest Laboratory of security and applied cryptography Lab head: Vashek Matyáš Petr Švenda

Published byMyra Norris Modified over 8 years ago

Similar presentations

Presentation on theme: "Masaryk U. – related research, interest Laboratory of security and applied cryptography Lab head: Vashek Matyáš Petr Švenda"— Presentation transcript:

1 www.buslab.org Masaryk U. – related research, interest Laboratory of security and applied cryptography Lab head: Vashek Matyáš Petr Švenda {matyas,svenda}@fi.muni.cz Masaryk University, Brno, Czech Rep.

2 www.buslab.org Masaryk U. – related research, interest The team 4 faculty members full-time ●and 2 postdocs 4 PhD students, 15+ MSc 2-4 faculty members in relevant areas Dedicated lab with basic biometric, smartcard, mobile, wired and WiFi (security) equipment, HSMs, sensor nodes, oscilloscopes…

3 www.buslab.org Masaryk U. – related research, interest Ongoing/past projects Department of Home Affairs ●cryptographic protocols, privacy, intrusion detection in wireless sensor networks – applied research project National Security Authority ●long-term cooperation in the areas of secure H/W, smartcards and related applications, including crypto protocols Czech Science Agency and industry projects ●mobile devices, tokens, biometrics, code audits… EU PICOS (Privacy and Identity Management for Community Services) (STREP) ●mobile privacy preserving services for communities ●requirements (gaming community), architecture, eval. & assurance EU FIDIS Network of Excellence (EC) ●identity, identification, privacy ●autentication – PKI, biometrics, tokens, protocols

4 www.buslab.org Main topics of interest Cryptographic hardware ●mainly smart cards Wireless Sensor Networks ●design and practical implementation of network wide protection layer (privacy, IDS, key distribution) Random number generators ●practical testing: mobile phones, smart cards Evolutionary algorithms + BOINC ●utilization of distributed computation for other areas Masaryk U. – related research, interest

5 www.buslab.org Masaryk U. – related research, interest Main topics of interest – secure hardware Laboratory equipment capable to ●power analysis of smart cards ●fault induction attacks (power&data glitch) ●bytecode level reverse engineering Source code analysis & software-level protections ●automatic source code transformation (CesTa) Design & implementation of smart card protocols ●advanced schemes utilizing on smart cards ●(micro-)payment schemes

6 www.buslab.org Masaryk U. – related research, interest Cryptographic Hardware Security Projects mainly for Czech NSA ●How to select most suitable smart card? ●How to test large batch for same hardware? ●How to detect potential backdoor? ●How to fix problems with hardware in software? Projects with Czech provider of ePassports and citizen ID cards ●How to let user to confirm transcation amount? ●Source code audits

7 www.buslab.org Masaryk U. – related research, interest Basic setup for power analysis Smart card Smart card reader Inverse card connector Oscilloscope Resistor 20-80 ohm Probe

8 www.buslab.org Masaryk U. – related research, interest More advanced setup for power analysis Ethernet Tested smartcard External power supply SCSAT04 measurement board

9 www.buslab.org Database of common operations Power trace of DES, AES, EEPROM, write RAM, RSA, MD5/SHA1/SHA256 … GlobalPlatform SCP’0x, PIN verification… Masaryk U. – related research, interest

10 www.buslab.org Masaryk U. – related research, interest Bytecode - situation with current SC Tested 10 different families from 4 manufactures ●3 with clearly visible bytecode and separators ●3 with visible bytecode, but no separators ●1 with partially visible bytecode ●3 without visible bytecode Caused by used type of the main processor

11 www.buslab.org Masaryk U. – related research, interest Reverse engineering of Java Card bytecode Goal: obtain code back from smart card ●JavaCard defines around 140 bytecode instructions ●JVM fetch instruction and execute it (source code) m_ram1[0] = (byte) (m_ram1[0] % 1); (bytecode) getfield_a_this 0; sconst_0; baload; sconst_1; srem; bastore; (power trace) compiler oscilloscope

12 www.buslab.org Masaryk U. – related research, interest Reverse engineering Target card sadd; sstore 4; sload 4; sconst_1; aload_1; sload 4; sadd; sadd unknown; sload sconst sload sconst

13 www.buslab.org Masaryk U. – related research, interest (bytecode) sload_1; ifeq_w L2; L1: getfield_a_this 0; sconst_0; bastore; goto L3; L2: getfield_a_this 0; sconst_0; sconst_1; bastore; goto L3; L3: … Conditional jumps may reveal sensitive info keys, internal branches, … (source code) if (key == 0) m_ram1[0] = 1; else m_ram1[0] = 0; compiler oscilloscope (power trace, k != 0) (power trace, k == 0)

14 www.buslab.org Masaryk U. – related research, interest Incorrect checksum Incorrect MAC External Authenticate

15 www.buslab.org FITKit logger and manipulator Masaryk U. – related research, interest

16 www.buslab.org Masaryk U. – related research, interest Automated code transformation CesTa project http://cesta.sourceforge.net

17 www.buslab.org Masaryk U. – related research, interest CesTa - main design goals 1.Enhanced security on real applets ●fix what is wrong, add preventive defenses 2.Source code level & auditability ●trust, but verify 3.Complexity is hidden ●clarity of original code 4.Flexibility & Extensibility ●protect against new threats ●protect only what HW does not

18 www.buslab.org Masaryk U. – related research, interest CesTa – basic scheme Write code once, apply only what needed

19 www.buslab.org Masaryk U. – related research, interest CesTa project – current state JavaCard transformations, SC.NET in development Several non-trivial transformations implemented ●low level IfSwitchReplacement (replacement rule) ●generic ShadowVariables (replacement rule) ●generic ValidateStateTransitions (replacement rule) ●generic CheckTransactions (analysis rule) Tested on real (bigger) applets ●JOpenPGPCard, CardCrypt/TrueCrypt, crypto software impl… Transformations can be provided by independent labs ●modular design, open source http://CesTa.sourceforge.nethttp://CesTa.sourceforge.net

20 www.buslab.org Summary 1.Obtain some info from power trace ●JC RE, OpenPlatform operation powertrace 2.Make additional testing ●APDUPlay/FITKitlogger packet manipulation ●Power glitch fault induction ●Combined with power trace 3.Inspection of interface and protocols used ●SACC, APDUPlay ●Often combined with power trace (hidden code detection) 4.Fix problems found with automatic source code transformations ●CesTa project Masaryk U. – related research, interest

21 www.buslab.org Masaryk U. – related research, interest

22 www.buslab.org Backup slides Masaryk U. – related research, interest

23 www.buslab.org Masaryk U. – related research, interest IF_SWITCH transformation Conditional jump (IF THEN ELSE) leaks argument ●IP++ or IP = IP + branch_offset SWITCH also leaks, but have multiple branches ●attacker can still distinguish first and second branch ●but not between second and third branch ●jump executed in both cases ●IP = IP + branch2_offset or IP = IP + branch3_offset Basic idea ●replace IF THEN ELSE -> SWITCH

24 www.buslab.org Masaryk U. – related research, interest IF THEN ELSE still present, but randomized ●attacker can distinguish then and else branch ●but not case 0: and case 1: branch IF_SWITCH transformation – robust version Assumption: comparison and assignment is not leaking Random branch will be taken

25 www.buslab.org Masaryk U. – related research, interest IF_SWITCH template unique ID for expression variable (e.g., expr_res13) jump logical expression (e.g., key == 0) content of THEN branch (e.g., m_ram[0] = 5;) content of ELSE branch (e.g., m_ram[0] = 7;)

26 www.buslab.org Masaryk U. – related research, interest Another attack – fault induction Attacker can induce bit faults in memory locations ●power glitch, flash light, radiation... ●harder to induce targeted then random fault Protection with shadow variable ●every variable has shadow counterpart ●shadow variable contains inverse value ●consistency is checked every read/write to memory Robust protection, but cumbersome for developer 01011010 10100101 01011010 10100101 if (a != ~a_inv) Exception(); a = 0x55; a_inv = ~0x55; 01010101 10101010 01010000 if (a != ~a_inv) Exception(); a = 0x13; a a_inv

27 www.buslab.org Masaryk U. – related research, interest Applet state transition enforcement Applet security states controlled usually ad-hoc ●if (adminPIN.isValidated() && bSecureChannelExists) … ●unwanted (unprotected) paths may exist Possible solution ●model state transitions in inspectable format (DOT (GraphViz) ●automatically generate code for state transitions ●check appropriate states in sensitive methods

28 www.buslab.org Masaryk U. – related research, interest Applet state transition - example

29 www.buslab.org Masaryk U. – related research, interest Check transactions Transactions can breach applet security ●e.g., decreased PIN counter value is rolled back CesTa can detect possible problems in code ●warning is generated

Download ppt "Masaryk U. – related research, interest Laboratory of security and applied cryptography Lab head: Vashek Matyáš Petr Švenda"

Similar presentations

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.

Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.
Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.

Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.

POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.

Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,

Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.

Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.

Similar presentations

Ads by Google